Last year’s cyberattack against internet provider Dyn was something of a milestone. For the first time in a large-scale campaign, the attackers didn’t go directly at their target’s servers. Instead, they pressed Mirai malware into service. This malware automatically discovers Internet of Things (IoT) devices and leverages poor IoT security, allowing the attackers to link about 100,000 of these ill-secured devices into a centrally controlled botnet. They then launched a highly successful distributed denial-of-service (DDoS) attack against Dyn’s servers.
Mirai-powered fraudsters struck again the end of last year, this time wiping out internet service for nearly 1 million Deutsche Telekom customers. Moreover, investigators suggested that the operators behind the Dyn attack may have gone public with the malware’s source code. This could potentially give other cybercriminals a leg up in developing their own flavors of Mirai to attack IoT devices.
The State of IoT Security
There are two unimpeachable truths about IoT devices. The first is that the volume of these devices is exploding. Gartner estimated that about 6.4 billion IoT devices were in use in 2016, a number the firm expects to more than triple in just three years to 21 billion.
The second truth is that these devices, which can hold massive troves of personal, operational and corporate data, are notoriously insecure. Forrester Research noted that IoT security is in its “creation phase” and doesn’t have established quality controls or standards. In fact, they are widely manufactured with few, if any, standards, and often arrive with weak default passwords.
IoT Security Spending Skyrocketing
“The affordability and compactness of computing is what places IoT technology within affordable reach,” said Scott Crawford, research director for information security at 451 Research. “Without demonstrated threats, manufacturers may see little compulsion to incorporate strong security in these devices and systems.”
Organizations are quickly ratcheting up IoT security spending. Gartner predicted that such spending would amount to roughly $550 million by next year, a figure that could skyrocket by 2020. The veritable boom of IoT devices and the pressing need to secure them could potentially lead to extreme shortages of IoT security specialists within two to three years. Bear in mind, IT professionals must secure not only the devices themselves, but also their operating systems, platforms, networks and other interconnected systems.
This all translates into extra security precautions IT leaders must apply to various routine business activities. Consider merger and acquisition activity, for example. Obviously, an overall security assessment of the target company’s infrastructure is a key requirement.
“If IoT devices are authenticated and managed through identity management systems, their integration should parallel that of IT systems and endpoints,” Crawford noted. He added that acquiring companies must assure that IoT networks and clusters are somehow segmented from unexpected exposure that may result from the transition, especially for sensitive operational environments.
Securing Your IoT Environment
What else can enterprises do to secure the burgeoning IoT environment today? For one thing, security leaders should be aware of industry groups that have taken the lead in bolstering the security of operational technologies, including IoT devices. These groups include the North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection Committee (CIPC) for electric utilities, the Health Information Trust Alliance (HITRUST) and the Society of Automotive Engineers, which published an invaluable cybersecurity guidebook.
Crawford advised organizations to apply the same principles that they apply to overall IT security to IoT security. Strategists should include IoT deployments in broader strategies for insulating networks and systems from attacks, thus “assuring controls on access to sensitive functionality, protecting confidential data and evaluating the resilience of systems to exploit.”
Crawford also pointed out the growing number of businesses and consultancies seeking to work with enterprises wrestling with IoT security issues. It’s critical, however, to distinguish between legitimate services and vendors merely pushing their potentially insecure products.
The oncoming wave of IoT is unstoppable — although it could be slowed by governmental regulation if device manufacturers don’t step up their game when it comes to security and interoperability standards. For the near term, however, IoT security solutions will be far from standardized, especially given the number of device-makers globally. Cybercriminals know this and will likely redouble efforts to exploit IoT security gaps.
Partner, Gillin + Laberis